ISO 27001:2013 To ISO 27001:2022 Transition

The ISO/IEC 27001 information security management system standard provides businesses with a framework for managing risks and protecting against threats to secure information assets ranging from financial information and intellectual property to employee information and more.

Today, information security is at the forefront of practically every company’s priority list.
The urgency of new scenarios is changing. Companies are being compelled to reassess their context, primary risks and threats, and relevant stakeholders in an organised and trustworthy manner due to rising adoption of Cloud and automation technologies, cybersecurity, privacy, malware, and ransomware.

The revised ISO/IEC 27001:2022

The new ISO/IEC 27001:2022 edition tackles the new scenarios that companies must deal with. Most of the changes are in Annex A,, which had been anticipated by the publication of ISO/IEC 27002, where safety regulations have been added, eliminated, or merged. The modifications include advancements to cyber security and privacy, including a refresh of the control language and the addition of new recommendations. This enables businesses to monitor risks, ensure that nothing is overlooked, and properly follow-up.

The last version was released in 2013. Inevitably, the security control modifications are substantial, with 11 new, 58 revised, and 24 combined.

The following altering scenarios are being addressed in particular:
Introduction of modern technology such as cloud computing and automation.
Recent growth in the acceptance of such technology.
Recognising security and privacy threats.
Considering the shifting threat landscape, such as new varieties of malware and ransomware.
Aligning with other best practises, such as NIST, COBIT, and so on.
Refreshing the control language and providing more guidance.

The adjustments have the greatest influence on the following areas:

  • Leadership
  • Corporate Security
  • Information Technology
  • Other support functions
  • Delivery (for all service providers)

Organisations must re-evaluate their risk assessments and re-establish their safety protocol to be compliant. In addition to the control adjustments, the 2022 edition has been re-aligned with the most recent updates to ISO’s High-Level Structure (HLS). These modifications are based on the most recent version of Anex SL of ISO/IEC directives Part 1 (2022). These changes, however, are deemed minimal because the 2013 edition was one of the first standards to integrate the HLS.

Timeline for Transition

On October 25, 2022, the updated edition of ISO/IEC 27001 was issued. The changeover period will last three years. Current 2013 – Certificates must therefore be converted to the new version before November 2025. The transition audit can be undertaken as part of any planned audit during the 3-year transition period or as a specific transition audit.

Preparing for implementation
We propose that you begin preparing for the shift as soon as possible and plan thoroughly to include necessary changes into your management system.

Steps to take during the transition:
  • Learn about the standard’s contents and requirements.
  • Pay attention to the modifications implied by the updated standard.
  • Ensure that all relevant individuals in your organisations have received training and are aware of the requirements and major developments.
  • Identify the gaps that must be filled to fulfil the new standards and develop an implementation strategy.
  • To fulfil the new criteria, take actions and update your management system
How RNR can help

RNR can help you with your information security management system certification and transition, whether you are already certified to ISO/IEC 27001 or are new to the standard. As a world – leading certification organization we work with small and large businesses all over the world to meet their IT & cyber security and privacy demands.

If you are preparing to upgrade from version 2013 to version 2022, we can help you with the following services:

  • Gap analysis: we will conduct a gap analysis to identify the differences between your current ISMS and the requirements of ISO 27001:2022. This will help us to prioritize the changes that need to be made to your ISMS.
  • Transition plan: we will develop a transition plan that outlines the steps that need to be taken to transition to ISO 27001:2022. This plan will include a timeline, budget, and resources.
  • Implementation: We will work with you to implement the changes to your ISMS. This includes training your staff, developing new documentation, and testing your controls.
  • Preparation for certification audit: We will help you to prepare for your certification audit by reviewing your documentation and providing training to your staff.

Transitioning to ISO 27001:2022 can provide your organization with several benefits, including:

  • Increased confidence in your information security
  • Reduced risk of data breaches and other incidents
  • Improved compliance with regulations
  • Increased customer trust
  • Enhanced brand reputation

RNR is here to help you at every step of the way.

Are you considering ISO/IEC 27001 certification for the first time? Please see our information security management system service page for additional information on its features, benefits, and certification path.

To learn more about our consulting services or to schedule a consultation, please feel free to contact us.